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© Method for controlling computer network security. 

© A filter module allows controlling network security by specifying security rules for traffic in the network and 
accepting or dropping communication packets according to these security rules. A set of security rules are 
defined in a high level form and are translated into a packet filter code. The packet filter code is loaded into 
packet filter modules located in strategic points in the network. Each packet transmitted or received at these 
locations is inspected by performing the instructions in the packet filter code. The result of the packet filter code 
operation decides whether to accept (pass) or reject (drop) the packet, disallowing the communication attempt. 
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BACKGROUND OF THE INVENTION 

,nJ^| aP ? Ca , ti0n re ' ateS ' in 9eneral ' t0 3 meth0d f0r strolling computer network security " More 
s SEE \ r& I ^ e3Si,y aUerab,e ° r e *? andable method for computer network security wWch 
s controls .nformation flow on the network from/to external and internal destinations 

tion^ThTf ,V ' ty , and r CUrity ^ tW ° conf,ictin 9 objectives in the computing environment of most organiza- 
tions. The typica modern computing system is built around network communications, supplying transparent 
access to a mul„tude of services. The global availability of these services is perhaps the sng.e mos 
important feature of modern computing solutions. Demand for connectjvity comes both f om wTthin 
w organizations and from outside them. 

KiUXxT^l^t SefVi T ,r ° m UnauthoH2ed USa 9 e is of P a r~t importance to any organization. 

? ' J mP ' e ' ° nCe connec,ed to the "*>met. will offer all the services which it offers 
Icn ofi ts ZZ t V eXt ta H le t0 ^ Gntire W ° rld - USi " 9 CUrrent teChn °'°9V> an -ganization must give up 

» z ouSde ;~r n s r s er to prevent vuinerabMity - even to the ° f a » - 

b^o A l th a n n H ed ,0r ( increasedsecurit y 9rows, the means of controlling access to network resources has 
become an adm.nistrat.ve pnonty. In order to save cost and maintain and other objects.productivity access 

cosTLTh t S ' mp e t ° l COnfi9Ure ^ t0 US6rS and a PP'-ations. The mfnimization'of seSp 

costs and down time are also important factors. 

K 0 -™ aCket f !! te i n9 iS 3 meth ° d WhiCh a " OWS conn ectivity Vet Provides security by controlling the traffic 
SLSZ^. P ^ n9 ,,,e9a, COm ™ niCati ° n a « em P ,s ' both -£ networks and between 

Current implementation of packet filtering allows specification of access list tables according to a fixed 
tl ,h Tl" 0 ? jS J mM r d " " eXibility t0 SXPreSS 3 9iven "Boon's security policy 9 s Llso 

Soducln nt h« Tf f d SerViC6S d6fined in 4,131 Particu,ar table - This method not allow the 
introduction of different protocols or services which are not specified in the original table 

Another method of implementing packet filtering is tailoring the computer operating system code 

2r£?- m T r \T at ? iC P ° int ^ ™« -ethod is limited by its flexibH^y to future 

changes n network topology, new protocols, enhanced services and to future security threats It requ res a 

^:Tsi;z^r modifyin9 p — ™ ~ » ~ - 

whic'n £iESL2E KSS£ ^ 3 eaSi ' y - al,erab ' e ^ ^ 

n-JHf and h oth K er ° b ' ects - to*"* and advantages are provided by a method of operating a computer 
netwo k, in wh.ch data ,s passed in said network as data packets, for controlling the passage of saZ dZ 

lTon^LT 0r \r 0( Z n V° 3 SeCUritV mle ' the meth ° d COmprisina the" steps' of'enerltn^ 'in It 
££LZS h • ? • 3 de,ini,i ° n ° f eaCh aSpect of ,ne network controlled by a security rule- 

one of " 9 H T" 17 rU ' e - " Said C ° mpUter ' in tSrmS ° f Said "P« definitions . controlling a" least 
one of said aspects; converting said security rule into a set of filter language instructions for co ntroNina 
opera, on of , packet filtering module which controls passage of said data packet; provding foSSS 
s"^ module IT ° f 7*"°? "J* *° COntr0 ' »» PaSS " e ° f data packets in "^tarS with safd u.e 
SS^lnlS?^ ^ 6 h I'* 6 "" 9 m ° dU,e: Said m ° dU,e readin9 and executin 9 said instructions fo 
S neiol m9 M maCHine 10 6ither 3CCept ° r rej6Ct the P3SSa 9 e of said packet 

oass^| 0 !n e LS P n^l 0f u the inv f ntio " inc,udes a security system for a computer network in which data is 
neSofk acce ding f f T'?' *" SyStem C ° ntr °" in9 *• passa 9 e of said da < a Packets in the 
*JZ hJ h 9 J CUnty rUl6, Where e3Ch aSpect of said network controlled by said security rule has 

S.nuan? n / T ^ b6an d8 " n8d * terms pf aspects and converted into a titer 

language mstructions. a method for operating the system comprising the steps of providing a packet fi e 

^£t£Zzz ?r f the r etwork to be contro,,ed by said ~* said ^ -^"9 3 

.nsS.inlT, 9 COntr0 ' S PaSSa9e ° f S3id data packet: said module wading and executing said 

Tn ^TnZll 9 PaCk6t fi ' terin9 m ° dU,e t0 aCC8Pt ° ( rej6Ct the Passa 9 e of said packet 

Dlace^^irT* ? the H inVenti ° n com P ris es a security system for a computer network in which data is 

aiordino to a T < " f r** 18, ^ SySt6m C ° n,r0 " in9 paSSaQe ° f said data P ackets in network 
according to a security rule, where each aspect of said network controlled by said security rule has been 

defined, said security rule has been defined in terms of said aspects and converted into a Iter language 

mstructions, a method for operating the system comprising the steps of providing a packet fuTmSTE 
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at least one entity of the network to be controlled by said security rule, said module emulating a packet 
filtering module which controls passage of said data packet; said module reading said executing instructions 
for a packet filtering operation; storing the results in a storage device; said module reading and executing 
instructions and utilizing said stored results for operating said packet filter module to accept or reject the 
5 passage of said packet in said network. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 is an example of a network topology; 
io Figure 2 shows a security system of the present invention applied to the network topology of Figure 1; 

Figure 3 shows the computer screen of the network administrator of Figure 2 in greater detail; 

Figure 4 is a flow diagram of the subsystem for converting graphical information to filter script; 

Figure 5 is a flow diagram of an information flow on a computer network employing the present invention; 

Figure 6 is a flow diagram of the operation of the packet filter shown in Figure 5; 
75 Figure 7 is a flow diagram showing the virtual machine operations shown in Figure 6; 

Figure 8 is a flow diagram of the data extraction method of Figure 7; 

Figure 9 is a flow diagram of the logical operation method of Figure 7; 

Figure 10 is a flow diagram of the comparison operation method of Figure 7; 

Figure 1 1 is a flow diagram of the method of entering a literal value to memory; 
20 Figure 12 is a flow diagram of a conditional branch operation; 

Figure 13 is a flow diagram of an arithmetic and bitwise operation; 

Figure 14 is a flow diagram of a lookup operation; and 

Figure 15 is a flow diagram of a record operation. 

25 DETAILED DESCRIPTION 

Referring now to Figure 1, an example network topology is shown. In this example, the main site 100 
contains a system administrator function embodied in workstation 102. This workstation is coupled to the 
network which includes workstations 104, router 110 and gateway 106. Router 110 is coupled via satellite 

30 112 to a remote site via gateway 122. Gateway 106 is coupled via router 108 to the Internet. The remote 
site 120 comprises workstations 124 which are coupled to the network and via gateway 122 to the Internet. 
The particular configuration shown herein is chosen as an example only and is not limitive of the type of 
network on which the present invention can work. The number configurations that networks can take are 
virtually limitless and techniques for setting up these configurations are well known to those skilled in the 

35 art. The present invention can operate on any of these possible configurations. 

Figure 2 shows the network of Figure 1 in which the present invention has been installed. In Figure 2, 
elements also shown in Figure 1 have the same reference numerals. As shown, the system administrator 
102 includes a control module 210, a packet filter generator 208, a display 206 and a storage medium 212. 
Packet filters 204 have been installed on the system administrator, workstations 104 and gateway 106. 

40 Gateway 106 has two such filters, one on its connection to the network and one on its connection to the 
router 108. Routers 108 and 110 each have a programming script table which is generated by the security 
system, but which forms no part of the present invention, and will not be described in detail. These tables 
correspond to the tables that are currently utilized to program routers, as is well known to those skilled in 
the art. 

45 Packet filters 204 are also installed on the gateway 122 of the remote site 120. One packet filter is 
installed on the connection between the satellite 112 and the gateway 122, a second packet filter is installed 
on the connection between the Internet and gateway 122 and a third packet filter is installed on the 
connection between the gateway and the network. 

Information flows on the network in the form of packets, as is well known to those skilled in the art. The 

so location of the packet filters in Figure 2 is chosen so that data flow to or from a particular object of the 
network, such as a workstation, router or gateway can be controlled. Thus, workstations 104 each have a 
packet filter so that the information flow to/from these workstations is separately controlled. At the remote 
site 120, however, the packet filter is placed on the connection between the gateway 122 and the network, 
thus there is no individual control over the data flow to/from the workstations 124. If such individualized 

55 control were required, packet filters could be placed on each of the workstations 124, as well. Each of the 
packet filters is installed at the time that the network is set up or the security system is installed, although 
additional packet filters can be installed at a later date. The packet filters are installed on the host device 
such as the workstation or gateway at which protection is desired. 
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Jf °Uo 8 Pa T X fH,erS ° perateS ° n a sef of Instructions which has been generated by the packet filter 

= zszz^nz res =S5v«c sS H 

be provided w,th full reports as to the operation of the network and the success or fXe o ^1 

serv.ces are two aspects of the network which must be defined in the security method of the ores^nt 
invention. W.ndow 304 is used to define network objects such as the workstatfonT gatewal TanS o^ 

for example the f.nance department, the research and development department the directors of S 
company. ,t ,s thus P ossib.e to control data flow no, only to individua. computers on L netwoTk bu, al to 
groups of computers on the network by the appropriate placement of packet filters. TOs altows the system 
operator have a great deal of flexibility in the managing of communicator* on the networ Us oossSe for 

Z.J 1 b ' e *° communi cate directly with the finance group, but filter out communica- 

^M£^J7S^T t T sMe 10 al,ow electronic mai * ,rom a " but * S^SZS 

tor information to a specified set of computers. This allows the system operator to provide internal as weM 
ne^t r T *" "* The ° bjeCt definition would inc.ude the addres ^ o th^Sc onThe 

a St nt^K 3S ^ name ° r 9r ° UP Wh6ther the 0bject is internal or to network whiter or not 

^X^:^^^^ ^ 3 9raPhiCa ' — ^ s V-boNs "sedTn 

Similarly, network services are defined in block 306 on the screen. These network services can include 
login, route, syslog and telnet, for example. Each service is defined by generic and spedf7c properties Se 

7£nr,rZ q ! f ° r telnet The code str,na that identifies the incoming and outgoing packets are 
fmeo f P h Pr ?r i6S inC ' Ude the name 0f the service - port used to proS he £S£ £ 
trTnsm tt h 2 hW 3 ^"^ionless session may stay inactive, that is having no pacS 

transmitted ,n either direction before assuming that the session is completed. Other efemen of a service 
illTT? ' nClUde the '' pr °9 ram ™ mber tor RPC services and the outbound connec^ons fo accepted 

B?oc W2?sZ n TZ nleSS Pr ° tOCOlS SUCh UDP - The 9raphiC Symb0 ' and its -lor aSspUmed ' 
, n !S f U e b3Se mana9er which a,lows the new security rule to be entered into the svstem in 

a graphical manner, thus freeing the system administrator from having to write code to Tmptement a 

Z thT „° 2 ? k « e ' ement ,s the type of service that is involved and the fourth element 

2L n . d be t3ken - The aCti0n that be taken includes accept the packet Vn which caTe 

passim fr ° m S ° UrCe t0 the d6Stina,i0n or re * ct the P acke t which case t is Z 

S™JZ^r r V° destination - " ^e Packet is rejected, no action can be taken or a negate 
SETS 9 em f m „ Can be Sent indica,i "9 that the packet was not passed to the destination °n addS a 
further etement which can be specified is the installation .ocation for the rule which Specif es on which 

STSfTrT WHI H b ! enf ° rCed (S6e R9ure 2) - ,f an installation loca tion is not speci id the system pt es 
the packet filter module on the communication destination by defauft. These objects are not nieSLS the 
destination. For example, a communication from the .nternet and destined for a .oca. hosTmC^ nSTssartv 
pass trough a gateway. Therefore, it is possib.e to enforce the rule on the gateway even 3h he 

eaXTJle can ^ ™ *" By emerin9 the data with ° symbol 

tnTo f th q V be emered and V6rified without *e need for writing, compiling and checklno new 
code for this purpose. Thus, the system administrator need not be an expert in SJ^l^S^Z 
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for security purposes. As long as the service is one of the services already entered into the system, the 
computer serving as the host for the system administrator function will process the information into-a set of 
instructions for the appropriate packet filter, as described in greater detail below. 

Block 308 is a system snapshot which summarizes the setup and operations of the security system. It 

5 is not required to practice the present invention. The system snapshot displays a summary of the system 
using graphical symbols. The summary can include, for example, the host icon, host name, rule base name, 
which is the name of the file containing the rule base, and the date the rule base was installed on the host. 
It can also show the status of the host indicating whether or not there have been communications with the 
host as well as the number of packets inspected by, dropped and logged by the host. 

10 Figure 4 shows a flow chart of the subsystem for converting the information on the GUI to a filter script 

which contains the rules utilized for the packet filter. In the preferred embodiment, the output of the filter 
script generator is compiled into object code which is then implemented by the packet filter module, as 
described below. 

The subsystem 400 starts at 402, proceeds to block 404 which is obtains the first rule from the GUI. 

75 The first rule is the first line on the screen in which a new security rule has been identified, as shown in 
Figure 3. Control then proceeds to block 406 in which code is generated to match the rule source network 
objects. That is, the source of the packet is entered into the source code block as representing one of 
objects of the system from which the data packet will emanate. Control then passes to block 408 in which 
code is generated in the destination code block to indicate which object of the network the data packet is 

20 destined for. Control then passes to block 410 in which code is generated to match the rule services that 
were chosen. The rule services have been defined previously and are stored within the system or, if not 
defined, will be defined at the time the security rule regulating the service is entered into the system. 
Control then passes to block 412 in which code is generated to accept or reject the packet if the data 
blocks 406. 408 and 410 were matched, that is, the results of the checks were true. The action to accept or 

25 reject is based upon the action chosen in the security rule. Control then passes to the decision block 414 
which determines whether or not more rules are to be entered into the system. If no more rules are to be 
entered into the system, the subsystem terminates at block 418. If more rules are to be entered into the 
system, control passes to block 416 which obtains the next rule and passes control back to block 406 at 
which time the process repeats and the next security rule, found on the next line the GUI is processed. 

30 Communication protocols are layered, which is also referred as a protocol stack. The ISO (International 
Standardization Organization) has defined a general model which provides a framework for design of 
communication protocol layers. This model serves as a basic reference for understanding the functionality 
of existing communication protocols. 
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Different communication protocols employ different levels of the ISO model. A protocol in a certain 
layer may not be aware to protocols employed at other layers. This is an important factor when making 
security actions. For example, an application (Level 7) may not be able to identify the source computer for a 

so communication attempt (Levels 2-3), and therefore, may not be able to provide sufficient security. 

Figure 5 shows how a filter packet module of the present invention is utilized within the ISO model. The 
communication layers of the ISO model are shown at 502 at the left hand portion of Figure 5. Level 1 , block 
504, is the hardware connection of the network which may be the wire used to connect the various objects 
of the network. The second level, block 506 in Figure 5 is the network interface hardware which is located in 

55 each computer on the network. The packet filter module of the present invention intercedes between this 
level and level 3 which is the network software. Briefly, for the sake of completeness, the other levels of the 
ISO model are level 4, block 510 which relates to the delivery of data from one segment to the next, level 5, 
block 512, synchronizes the opening and closing of a "session" on the network. Level 6, block 514 relates 
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pro?am han9in9 °' *** Vari ° US COmputers on ,he network - and ^ 7. block 516 is the app.ication 

2 andEtTr^ t ! ,e r mPUt i er °° WhiCh ,he P3Cket fi ' ter m ° dule resides P asses trough layers "l and 
2 and then ,s Averted to the packet filter 520. shown on the right hand portion of Figure 5 The packet is 

Ta^t I" h C ,h 522 - ' n bl0Ck 524 ' the P3Cket iS C ° mpared with ,he sec - i{ y «* « a deterZatn s 
t ? t:l° ""ether or no. ■» Packet matches the rule, .f the packet matches ,he rule, it may be logged on 

b issued TconTro.' tH^n " Tm' T Mle9a ' ^ haS ^ made l ° enter the an ale* may 

be issued. Control then passes to block 534 in which a decision is made whether or not to pass the packet 

TsLT^^Zl7£Vl T SeCUrity rU ' e - " the d6CiSi0n is to P- ^e packet, the'packet is then 
sen at b.ock La mL^J f^T" ' S * ^ PaCk6t> 3 n6gative ^nowledgemen, (NACK) is 

; " . ; n> and contro1 passes to biock 530 where the p acket * 

b sZ t ther ' dlttrin '° d6 f ^ Simila ^' if a " a PP'-'-n generates a packet which is to 
be sent to anther dest.nat.on, the packet leaves the ISO model at level 3. block 508 and enters block 522 
and proceeds by an identical process except that if the packet is to be passed it is passed toTve. 2 block 
2?£ 12 ° V OCk 508 ° n ,eV91 2 ' thS packet is then sent onto "-o* at block 504. level .f 
mL P hi tf ? ^ hT? ? rU ' e ' ^ nSXt fU,e Wi " 66 retrieved and the P ack ^ examined to see f 
or servTci oec ifieJ Th , ' !* T"^ ^ re9ard,6SS of the — ^nation 

LLhTd th , I k V fU ' e ° nly haS an aCti ° n> Which is t0 dr °P the P**«. » "o other rule is 

matched. th,s rule w,ll be retneved and will be effective to drop the packet. Dropping the packet is the 

packet " mder th6Se CifCUmStanCeS - The "-P* «*■ could" of course'be^en to pass the 

Referring to Figure 6. 600 is a detailed description of the block 520 of Figure 5. The generalized 
TtT^Zr^^ m r? e,ailed de ^Pt-s shown in Figures ^comprise a Son * 
the term packet filter module as the term ,s utilized herein. The capabilities shown in those figures are the 

filte ,T d K e t0 ° Perate - R9UreS 11 - 15 ShOW addi « 0n ^ules Ihich m y 
Th« « Pf*«. fi «ter module, but are not required in the minimal definition of the term. 

marmS^S^f t? err ^T ed ™ *** ^fta****** of .this application. 

of F^lTr' StartS 31 b ' 0Ck 602 in WhiCh the packet is received - which corresponds to block 522 

lmor ( not^holTh e e S s ,0 f , b '° Ck 604 WNCh ^ fi,ter ° Perati ° nS are ° btained f ™ the ^clio* a 
^Tf* L 1 J Gr operat,ons are the fl'ter operations that have been generated by the 

packet filter generator 208 shown in Figure 2. Control then passes to block 604 in which the >7Z operations 

mining T the " *k b ' 0Ck 606 WhiCh the mem ° ry 618 is initia,i2ed - block 608 ne S virTa 
ZSZX^Tn Perf0rmed " b ' 0Ck 61 °- The Virtual machi " e stains a -emory 

uMzaZ of ^s stack J T re9 K ter 618 WhiCh maV be UtHi2ed to Store intermediate values. The 
£~ ? n 1 k. or register .s shown m greater detail in connection with table 1 below. Control then 

the itp S ^s^ ml nVl^J' * determined whether - "°« the stop state has been reached f 
the stop state has been reached, the dec.s.on will have been made to accept or reject the oacket which 

F?rVVZ ,e o m aS2 d at blot ; k H 616 lf .: he packet has been passed - the pa ' ket s 

shown in blocks S^ Jr T *° PP ' d a " d 3 ack "^'ed9ement may be sent as 

ooXd in blcxfkli B and th ° P St3,e h3S n0t b6en reaChed in block 614 ' next operation is 

ODtamed in block 61 6 and the process repeats starting with block 610 

in FLu^TbtcTfiTn 0 "^ T^l Perf0rm6d St6P 5 ' b '° Ck 610 are shown more clearly in Figure 7. 
in F.gure 7 block 610 and block 614 are identical to the blocks shown in Figure 6 Connection 613 is 

SS^S^S^^ ^ ShOW " Para " e '- F ° r ° Perati ° n ?hat - to ^e pedormed n 
bloc^ 702 Z r ■? r appropr,ate block 702 - 7 « 4 or 706 in which that task will be performed. In 
7oTa com^ be Performed, in block 704 logical operations win be performed and in block 

can be Irtec n nS?l Pf ormed. As shown at the right hand portion of Figure 7. other blocks 

shown SVoZ 7oT 7 nJl ^T 0nS < ? P- * ° f bei " 9 Per, ° rmed by the virtual ™ c «™- ™° su bset 
invenLr Th!l I ? ° 6 ^ the eSS6ntial elements of th e virtual machine of the present 

■nvennon. These elements are shown in greater detail in Figures 8, 9 and 10. respectively Additiona 
elements wh,ch may optionally be inc.uded in the operations capable of being pedo^ed by t^e Sua 
machine are shown in Figures 11-15, respectively. 

The data extraction block 702 is shown in greater detail in Figure 8. The process starts at block 802 

ThHdtri'srTJ 0 'I 00 ' T " WhiCh ^ fS 6XtraCted ,rom 3 Speci « c ^^thin the^ Jket ^ 
e^LtedTs Ln dS en h . th \ StaCk mem0ry 618 ° r ,r ° m the inStruCtion code The amount of data 
extracted ,s also determmed by the stack memory or the instruction code. The extracted data is put into the 
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memory stack 810 at block 808. The process terminates at block 812. In these figures, control flow is 
shown by arrows having a single line whereas data flow is shown by arrows having double lines. 

Figure 9 shows logical operation 704 in greater detail. The logical operation starts at block 902 and 
control passes to block 904 in which the first value is obtained from the memory 906. In block 908 a second 
5 value is obtained from the memory and the logical operation is performed in block 910. If the logical 
operation is true, a one is placed in the memory 906 at block 912 and if the logical operation is false, a zero 
is placed in the memory 906 at block 914. The process terminates at block 916. 

The third and last required operation for the virtual machine is shown in greater detail in Figure 10. The 
comparison operation, block 706, starts at block 1002 and control passes to block 1004 in which the first 

io value is obtained from memory 1006. Control passes to block 1008 in which a second value is obtained 
from memory 1006. A comparison operation between the first and second values takes place at block 1010. 
If the comparison operation is true, a one is placed in memory 1006 at block 1012 and if the comparison 
operation is false a zero is placed in memory 1006 at block 1014. The process terminates in block 1016. 
The following operations are not shown in Figure 7 but may be added at the right side of the figure at 

75 the broken lines and are connected in the same manner as blocks 702, 704 and 706, that is, in parallel. 
Figure 11 shows the entering of a literal value into the memory. The process starts at block 1102 and 
control passes to block 1106 in which the literal value is obtained from the instruction code. The value is 
placed into the memory at block 1108 and the process ends at block 1110. 

A conditional branch operation is shown in Figure 12. The process starts at block 1202 and control 

20 passes to block 1204 in which the branch condition, taken from the instruction code, is checked. If the 
branch condition is true, the value is obtained from the memory stack 1206 at block 1208 and checked at 
block 1210. If the results of the comparison in block 1210 is true, the next step is set to N and the process 
terminates at block 1216. If the comparison in block 1210 is false, the process terminates at block 1216. If 
the branch condition is false, at block 1204, control passes directly to block 1214. 

25 An arithmetic or bitwise operation is shown in Figure 13. The process starts at block 1302 and control 
passes to block 1304 in which the first value is obtained from memory 1306. The second value is obtained 
from memory 1306 at block 1308 and an arithmetic or bitwise operation is performed on the two values 
obtained from the memory 1306 in block 1310. The result of the arithmetic or bitwise operation is placed in 
the memory in block 1312 and the process terminates in block 1314. 

30 Figure 14 illustrates a lookup operation which is useful if data needs to passed from a first set of 
instructions implementing a security rule to a second set of instructions for a second security rule. As 
shown in block 606 of Figure 6, the memory is initialized whenever a new security rule is processed. 
Therefore, information placed in the memory by a first security rule will not be available for use by a 
second security rule. In order to overcome this problem, a separate memory 1410 is supplied which 

35 contains Tables 1-3 which can be utilized for this purpose. The entry of data into the tables is shown in 
Figure 15 and described below. The lookup operation starts at 1402 and control passes to 1404 in which 
values are obtained from memory 1406. Control passes to block 1408 in which data is obtained from Tables 
1-3 at block 1410 by searching the values in the referred Table. Control passes to block 1412 in which a 
decision is made as to whether the block is in the Table. If the decision is yes, a one is placed in memory 

40 1406 at block 1416. If the decision is no, a zero is placed in memory 1406 at block 1414. The process 
terminates at block 1418. 

Referring to Figure 15, the process starts at block 1502 and control passes to block 1504 in which 
values are obtained from memory 1506. Control then passes to block 1508 in which values obtained from 
memory 1506 are placed in the appropriate locations in Tables 1-3 at block 1510. Control passes to block 
45 1512 in which a decision is made as to whether or not the storage values in the Table has succeeded. If the 
storage has succeeded a one is placed in memory 1506 at block 1516. If the process has not succeeded, a 
zero is placed in memory 1506 at block 1514. The process terminates at block 1518. 

An example of a security rule is implemented using the packet filtering method of the present invention 
will now be described utilizing as an example the security rule to disallow any Telnet services in the 
system. Telnet is defined as being a TCP service and having a specific TCP destination port. It will be 
identified by having a TCP protocol value of 6 in byte location 9 of the packet and by having a destination 
Telnet protocol number of 23 in byte location 22 of the packet, the value being a two-byte value. This is 
found in every Telnet request packet. 

The first operation in Table 1 is to extract the IP protocol from the packet location 9 and place this in 
55 memory. As shown in the "Memory Values" column at the right side of Table 1 , this value, 6, is placed at 
the top of the stack. 

The second operation, the TCP protocol (port) number, which is stated to be 6 above, is placed at the 
second location in memory. In step 3, the values of the first two layers of the stack are compared, obtaining 
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a positive result. 



TABLE 1 







Drop Telnet Process 




Packet Filter Code 


Virtual Machine HnoratiAn 


Memory Values (Stack Order) 


1 


pushbyte [9] 


Extract Operation: Extract IP protocol number 
from oacket location Q tn mpmArw 


6 






2 


push 6 


Enter Literal Value to Memory: Put TCP 

protocol number in memory 


6 


6 




3 


eq 


Comparison Operation: Compare IP protocol 
to TCP, obtaining a positive result 








4 


pushs [22] 


Extract Operation: Extract TCP protocol 
number from packet location 22 to memory 




23 




5 


push 23 


Enter Literal Value to Memory: Put TELNET 

protocol number in memory 




23 


23 


6 


eq 


Comparison Operation: Compare TCP 
protocol to TELNET, obtaining a positive result 




1 




7 


and 


Logical Operation: Check if protocol both 
TCP and TELNET are matched 








8 


, btrue drop 


Conditional Branch Operation: If memory 
value is true, branch to drop state 









The values of 6 at the top two layers of the stack are deleted and a 1, indicative of the positive result is 

Placel Tn the mem "T^ *' TCP ^ " Umber for packet *£^ZS^J5 

placed m he memory locat.on at the second layer of the stack. In step 5, the literal value which is the 

.Iters 2^ nUm , ber " mem ° ry 3t the tNrd ^ of the stack, tn step 6 The memory 

X result \r !Z fJ CP ^T 01 f ° r Te,net " C ° mpared With the obtain^ a 

pos.t.ve result. The values of the second and third layers of the stack are deleted and replaced bv a 1 

.nd.cat.ve of the positive resu.t. In step 7. a logical operation is performed to see i both the ^ TCP and Tetnei 

inZZTT^ d6termined bV 3 AN ° ° Perati0n - * is case the res^T^^tlonll 

£nd SS.Th T ^ d6leted and rep,aced b * a 1 indicative °< ^e positive result. In step 8 

Telne reouelt iJ JJLSZ" I? T ? 6 ^ ^ Pr ° 9ram branCheS t0 the drOD state in which th * 
« L ? q P SSed ' Thus the rule to dr °P Telnet "as been implemented 

to those sk!, | P dt^e r ^t b h 0 a dime rt n, ° f I" inVenti ° n h3S been diSC '° Sed herein " » " ould be **« 

Iron! of t f erta ' n ChanQeS 3nd modifi «tions can be made, which are included within the 

^nlr^sTUlTT h ThUS ' White in the embodiment disclosed herein the packet filter opera ions 
are generated as a scnpt wh.ch .s then compiled into object code, it is obvious to those skilled inthe art 

avo.d the need to comp.le the scr.pt .nto object code. It would also be obvious to those skilled in the art to 
perform the operates of the virtual machine in an equivalent manner. For example hT compaTson 

S s^nol SUb r Cti H 9 f ,' V3,Ue ,r ° m ^ Variab,S and P8rf ° rmi ^ a " eduaiitXeratio 

TeZ™teZz^:z: and mod,f,cat,ons can be made without <™ •» - 

Claims 



contS^ 0 !^ 6 ' 3 " 09 3 C f mPUter netW ° rk> in Which data is passed in said ne *«ork as data packets, for 
c C SSd e b yTeTe P soT ,d P "** " ^i" 9 * 3 the ™™ 

a) generating a definition of each aspect of the network controlled by a security rule; 
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b) generating said security rule in terms of said aspect definitions, for controlling at least one of said 
aspects; 

c) converting said security rule into a set of filter language instructions for controlling operation of a 
packet filtering module which controls passage of said data packet; 

5 d) providing a packet filter module in at least one of network entity to control the passage of data 

packets in accordance with said rule, said module implementing a packet filtering virtual machine; 
e) said module reading and executing said instructions for operating said packet filtering module 
virtual machine to either accept or reject the passage of said packet in said network. 

w 2. The method according to claim 1 characterized in that said aspects include one of network objects and 
network services and said object definitions include the address of said object. 

3. The method according to claim 1 or 2 characterized in that the filter language instructions of step c) are 
in the form of script and further comprising a compiler to compile said script into said instructions 

75 executed in step e). 

4. The method according to any one of claims 1-3 characterized in that in said generating steps a) and b) 
the aspects of the network and of the security rule are defined graphically. 

20 5. A method of operating a security system for a computer network in which data is passed in said 
network as data packets, said system controlling the passage of said data packets in the network 
according to a security rule, where each aspect of said network controlled by said security rule has 
been defined, said security rule has been defined in terms of said aspects and converted into a filter 
language instructions, the method being characterized by the steps of: 
25 a ) providing a packet filter module in at least one entity of the' network to be controlled by said 

security rule, said module implementing a packet filtering virtual machine which controls passage of 
said data packet; 

b) said module reading and executing said instructions for operating said packet filtering module to 
either accept or reject the passage of said packet in said network. 

30 

6. The method according to claim 5 characterized in that said virtual machine performs a data extraction 
operation. 

7. The method according to claim 5 characterized in that said virtual machine performs a logical 
35 operation. 

8. The method according to claim 5 characterized in that said virtual machine performs a comparison 
operation. 

40 9. A method for operating a security system for a computer network in which data is placed in said 
network as data packets, said system controlling passage of said data packets in the network according 
to a security rule, where each aspect of said network controlled by said security rule has been defined, 
said security rule has been defined in terms of said aspects and converted into a filter language 
instructions, the method being characterized by the steps of: 
45 a ) providing a packet filter module in at least one entity of the network to be controlled by said 

security rule, said module emulating a packet filtering module which controls passage of said data 
packet; 

b) said module reading said executing instructions for a packet filtering operation; 

c) storing the results of step b) in a storage device; 

50 d ) said module reading and executing instructions and utilizing said stored results for operating said 

packet filter module to accept or reject the passage of said packet in said network. 



10. A security apparatus for a computer network security system in which data is passed in said network as 
data packets, said system controlling the passage of said data packets in the network according to a 
security rule, where each aspect of said network controlled by said security rule has been defined, said 
security rule has been defined in terms of said aspects and converted into a filter language instructions, 
the security apparatus being characterized by: 
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